Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP1 — maintainability, architecture, long-term qualityScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

backend ruleP1universalStack: node

securityhmacauthenticationsecrets

Prefer an HMAC signature over a raw shared-secret header

Authenticating service-to-service calls by sending a plaintext shared secret in a header means a single leak compromises everything; send an HMAC of the request instead so the header is safe to expose.

PR: hegnar-journalist-boost · org-mining-2026-06Created: Jun 17, 2026

Bad example

Old codetypescript

1	`// secret travels in plaintext; if it leaks, attacker can replay anything`
2	`fetch(url, { headers: { 'x-internal-secret': INTERNAL_API_SECRET } });`

Explanation (EN)

Objašnjenje (HR)

Good example

New codetypescript

1	`// sign the request; the header carries no reusable secret`
2	`const sig = createHmac('sha256', INTERNAL_API_SECRET)`
3	.update(`${method}:${path}:${timestamp}`)
4	`.digest('hex');`
5	`fetch(url, { headers: { 'x-signature': sig, 'x-timestamp': timestamp } });`

Explanation (EN)

Objašnjenje (HR)

Login required